The US government may like to blame Russian software companies for giving backdoor access to the Kremlin, it appears even the country’s security agencies aren’t clean. At least 18,000 US law enforcement agencies and the Federal Bureau of Investigation use a fingerprint software that reportedly includes code written by a Russian firm with close ties to the Kremlin.

The revelation comes amid concerns that this code could have given the Russian government backdoor access to information about millions of Americans. The information comes through two whistleblowers who were employees of a French company that had inserted this piece of code into the fingerprint analysis software.

The report that was published by the BuzzFeed also claims that the French company that had added this piece of code kept it “deliberately concealed from the FBI” and didn’t inform the agency that it had purchased “the Russian code in a secret deal.” However, an agency that continues to itself demand backdoor access should know better and is expected to audit the code that’s being used by thousands of federal agencies. BuzzFeed reports:

The Russian company whose code ended up in the FBI’s fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service – the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of US targets.

The French company Sagem Sécurité, later renamed Morpho, was then a subsidiary of the Paris-based conglomerate Safran. The company reportedly added code from a Russian company Papillon AO to boost performance of its fingerprint recognition system to win the US government contract.

The whistleblowers mentioned by the report are Philippe Desbois – former CEO of the company’s operations in Russia – and Georges Hala – who was in Morpho’s business development team in Russia. The report says that Desbois has “filed a whistleblower lawsuit in federal court accusing Safran of fraudulently collecting about $1 billion from federal, state, and local agencies.” Desbois claims that at least three high-level officials told him to never disclose the agreement between Morpho and the Russian firm as it could impact the company’s business in the US market.

“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm.’”

In response to the BuzzFeed report, the FBI has said that “all commercial software” that it operates goes through “appropriate security reviews” before deployment.

Desbois and Hala further claim that the agreement between the French and the Russian company isn’t even known to the company employees.

Both Desbois and Hala said they discovered the existence of the agreement licensing the Russian company’s code after they questioned their bosses’ instructions not to compete with Papillon for certain contracts. It was then, they said, that company officials explained that the two companies had an unwritten agreement not to encroach on each other’s business in certain countries — an arrangement that violates antitrust laws, the whistleblower claim alleges. Desbois and Hala said that they obtained a copy of the licensing agreement because they wanted to see for themselves whether it spelled out the terms of the noncompete pact; it did not.

Not the first time this controversy has made it to the headlines

While BuzzFeed goes into the detail of this potential cyber espionage drama, this isn’t the first time that these allegations have been made. Last year in summer, when a lawsuit was unsealed, it had revealed most of these details but with no action taken. While these latest reports and revelations focus on the French company and its ties with the FSB through a Russian firm, it is the Department of Defense that will again need to answer why it chooses to give such a big share of security contracts to other countries with the Silicon Valley in its backyard.

Earlier this year, the Trump administration issued a ban on all software from the Russian company Kaspersky Lab. The popular antivirus firm has official presence in the country and has become at the front of what it calls a geopolitical fight. However, companies like the above that hide their agreements and code from the FBI remain the agency’s biggest contractors. According to the publication, Morpho was sold to the US private-equity firm Advent International, with the French investment bank Bpifrance taking a stake.

The company is now known as Idemia and offers “fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US.” The latest BuzzFeed reports claims that Idemia is “a powerful lobbying force in Washington, and it is currently fighting to kill legislation that would endanger its status as the sole provider of fingerprint services for the TSA PreCheck program.”